ASUS WebStorage update served PLEAD

ASUS WebStorage was not the same incident as ShadowHammer. In late April 2019, ESET saw the legitimate AsusWSPanel.exe process create and execute PLEAD malware on systems in Taiwan. The process belonged to ASUS WebStorage and was digitally signed by ASUS Cloud Corporation.

ESET's favored explanation was router-level man-in-the-middle delivery. ASUS WebStorage requested and transferred updates over HTTP, then executed the downloaded file without validating its authenticity. If an attacker controlled the network path, the update mechanism became a delivery slot.

The surrounding tradecraft pointed to BlackTech. ESET noted that PLEAD had been used by the group in regional espionage, and that affected organizations often had internet-accessible routers from the same manufacturer. Prior BlackTech operations had also used compromised routers as command infrastructure.

The payload was PLEAD, a backdoor built for espionage. Reporting described host and file collection, command execution, file upload, and a document-exfiltration module that used Google Drive. ASUS WebStorage supplied the trust boundary; the router supplied the position.

Motive

Espionage

Attribution

Group

Cause

Insecure Update Mechanism

Transitive

No

Actor

BlackTech

• PLEAD malware now uses compromised routers and likely man-in-the-middle attack against ASUS Webstorage softwareeset.com
• Plead malware now uses compromised routers against ASUS Webstorage softwareeset.com
• BlackTech Group Abuses ASUS WebStorage to Install Plead Malwaresocprime.com